https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498

t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
104.76.74.15
78.47.207.136 - mailcious

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)

https://steamcommunity.com/profiles/76561199768374681

http://185.215.113.117/nholman/

185.215.113.117 - malware

https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498

t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
104.76.74.15
78.47.207.136 - mailcious

ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

https://steamcommunity.com/profiles/76561199768374681

https://yip.su/RNWPd.exe - rule_id: 37623
https://pastebin.com/raw/V6VJsrV3 - rule_id: 37255

pastebin.com(104.20.3.235) - mailcious
yip.su(104.21.79.77) - mailcious
104.21.79.77 - phishing
104.20.3.235 - malware

ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://yip.su/RNWPd.exe
https://pastebin.com/raw/V6VJsrV3

89.105.223.249 - mailcious

ET MALWARE [ANY.RUN] MetaStealer v.5 CnC Activity (MC-NMF TLS SNI)

https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498

t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
104.76.74.15
78.47.207.136 - mailcious

ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://steamcommunity.com/profiles/76561199768374681

193.233.255.84

ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498

t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
104.76.74.15
78.47.207.136 - mailcious

ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

https://steamcommunity.com/profiles/76561199768374681

http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll

innovaxingenieros.com(167.114.163.236) - malware
46.8.231.109 - mailcious
167.114.163.236 - mailcious

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity

http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/

http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll

46.8.231.109 - mailcious

ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity

http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/